About Me

Hello, my name is Thomas Cope and I currently work as the Chief Security Officer at Qush Security. I manage the end to end Security of our Enterprise DLP product (from design, threat model, SDLC, release and support) alongside managing the PSIRT & Product Security teams and our ISO 27001 certification. Before joining Qush I worked for eight years as a Cloud Cyber Security Architect at IBM while studying part-time at Oxford University for a Master’s Degree in Software and Systems Security.

I am an experienced Security Architect and Systems Engineer with a passion for designing, building and maintaining secure systems, processes and teams. I have strong experience in both Cloud and containerized (Docker / Kubernetes) platforms while working in DevSecOps environments. I enjoy programming and electronics in my spare time - you can learn more in the “Projects” sections below. I have a keen interest in Security and Cryptography. I enjoy designing and building secure systems / software as well as performing security research on pre-existing systems / software. I am CISSP Certified as well as a Redhat Linux System Engineer. I use these skills extensively at work and for the support of this server which is used to host both myself, and a friend’s projects (Server Status).

In my spare time, I am a STEM Ambassador and an Associational (MBCS) Member of the British Computer Society. I play games such as TF2, Counter-Strike, Valorant, Minecraft. Avid runner and enjoy good game of Badminton. Also enjoy Skiing when I get the chance. Feel free to drop me a line either on my Linkedin or GitHub or Youtube. Plus I use GPG if you want to send me encrypted Mail (PubKey).

Blog posts

Some of my ramblings:

BSides Basingstoke Presentation

Abstract I was invited to BSides Basingstoke where I presented a talk guiding the audience through my own practical security research experience developing CVE-2020-5014. I walk through the process of…

(Posted on 15 July 2022 · 1 min read)

Newcastle University Presentation

Abstract I presented my talk “From Zero to SSRF to RCE and back again” to the Newcastle University Competitive Computer Science Society, in the talk I explain “Ethical Hacking Journey…

(Posted on 21 May 2022 · 1 min read)

IBM HMC Exploit CVE-2021-29707

During some security research I discovered a method in which the local user account restricted in the HMC shell could be uses to escalate privilege to root access. The post…

(Posted on 19 July 2021 · 9 mins read)

X Series RAID Card Stuck Boot

The Issue I was able to acquire a second hand IBM System x3650 M4 BD (5466). I wanted to replace the ServeRAID card with a “ServeRAID M1015 LSI 9220-8i 6GB…

(Posted on 28 January 2021 · 2 mins read)

IBM Datapower Exploit CVE-2020-5014

During some personal security research I discovered a SSRF vulnerability in IBM Datapower which could then be upgraded to RCE. The practical upshot of which is with an authenticated session…

(Posted on 21 October 2020 · 3 mins read)

Debugging Valorant

I had quite a few issues getting Riot Games new first person shooter Valorant running on my laptop. This is a brief post to cover some of the techniques I…

(Posted on 17 July 2020 · 6 mins read)

NahamCon CTF (2020)

I took place in NahamCon CTF. It was a two day event but I was only able to make it for the last 1/2 of the last day. I scored…

(Posted on 13 June 2020 · 6 mins read)

Docker setuid & setgid weirdness

During some work on a project I came across some strange behaviour on how docker handles setuid & setgid. In Linux the setuid and setgid C calls are used to…

(Posted on 20 February 2020 · 8 mins read)

Zip Encryption Known Plain Text Attack

In this post I would like to highlight a really old flaw with the encryption used by the zip file format. This is a known text attack based on the…

(Posted on 05 December 2019 · 4 mins read)

Quick and Dirty Reverse Engineering

A while ago I had to work with a particularly frustrating application that was required to connect to a hardware appliance. Both of which will remain unnamed in this post….

(Posted on 15 November 2019 · 5 mins read)

Oxford Foundry CTF (2019)

The Oxford Competitive Computer Society hosted a Capture the Flag event which was great fun, I ranked third on the scoreboard. Below are my favorite challenges with a video of…

(Posted on 09 June 2019 · 1 min read)

Projects

A selection of my favorite projects:

ssh_ws

Homegrown implementation of Google Beyond Corp security system (Zero Trust)

This is a demonstration of a proof of concept I built to tunnel ssh traffic over web-sockets using the same system Google uses (Zero Trust) to secure SSH access. It used JWT, mTLS and OAuth. I build both a client and server application to achieve this.

bad_scp

A Proof of Concept of the Linux command ‘scp’ client side vulnerabilities (CVE-2019-6111 + CVE-2019-6110)

I reversed engineered and created a practical demo of the the CVE-2019-6111 + CVE-2019-6110 vulnerabilities

MSc in Software and Systems Security

Details of my Master Degree, chosen Modules and Dissertation

I attended Oxford University for a MSc in Software and Systems Security. This page details the 3 software and 7 security modules I attended along with a explanation of my dissertation.

Photography

A collection of random photos

I would not describe myself as a photographer or the kind of chap to have an instagram, but I do enjoy taking photos, so I thought I’d put a few of my faves on here.

Beans

A simple REST API Based Game

A REST API Game where the objective is to have the most beans by the end of the day

bash_bunny - scvtrs

Simple Cross platform Volatile TCP Reverse Shell using a Bash Bunny

Using the Bash Bunny from Hak5 I build payload that can determin the Host OS using p0f and then deliver the required payload

Pastejacking 2

A expansion on the original pastejacking attack using bash tricks

This is a demo of a new pastejacking attack using bash and command link tricks to fool the user into executing malicious code.

Arduino Minecraft Monitor

A helpful Arduino Library for polling Minecraft Servers

A custom made Arduino library to query a Minecraft server using the bespoke UDP query API.

Arduino Door Lock

Fingerprint and Android Style Pattern Lock

A Arduino door lock using a Fingerprint scanner and a 7 inch touch screen.

Golang Screen Saver

A snake style terminal screen saver written in Golang

A really simple terminal screen saver written in Golang using the tput library.

OpenCV Recorder

A simple but customizable WebCAM recorder using openCV.

A companion application to the TSTP, that allows for openCV videos to be saved and then played back.

Arduino Iron Key

A Arduino based portable secure memory stick.

I recreated the functionality of a hardware encrypted memory stick (such as ‘IronKey’ or ‘Datashur’) using the Arduino micro-controller and a SD card shield.

TSTP

Toms Sentry Tracking Program

This is the 3rd incarnation on my Sentry Tracking program. Using opencv and C++, this project dynamically scans a webcam or video feed and tracks one or more targets

TVBG

Toms Very Basic Game

One of the largest program I’ve written. A simple space shooter written in C++ using OpenGL and a custom made game engine.

TVTS

Toms Vehicle Tracking System (Arduino GPS)

A Arduino based GPS and GRSM Tracking System using a custom built library for the Maplin GSMShield. The Arduino acquires a GPS lock, reads the value and sends the data encrypted via UDP to a collection server.

CCB

Conference Call Bingo

A fun game to play while on a Conference Call.

Datapower XML to JSON

Gateway script to convert XML to JSON

A Really simple gateway script to be used on a IBM Datapower to convert XML to JSON using built in Datapower functions.

Languages

I primarily write GO / Golang day to day and shell scripting. I have experience with the below languages:

Programming Languages

Markup Languages

Skills

Tools / Software:

IBM Specific:

Operating Systems:

Clouds

Qualifications

Certifications

Awards

Contact

Click here to decode